Abstract

A message digest is a fixed length output produced by applying a cryptographic
algorithm on input binary data of arbitrary length. If the input data changes even by
one bit, the generated message digest will be completely different from the original.
This is used in digital investigations to verify that stored digital evidence has not
been tampered with.

This technique has been applied successfully on physical disk images because
there is only one continuous stream of data. However, this is not applicable to logical
disk images where there is no obvious or standard method of concatenating
the data to produce an output message digest. This paper describes the
diffculties that complicate the computation of a message digest for logical
data. In addition, a candidate process for calculating a verification value
for computer forensic evidence for logical data, regardless of its underlying
representation is given. This method is presented in the context of cellphone
forensics.